Example of xss injection implemented by HttpServletRequestWrapper in Java-javaTutorial-php.cn

    <filter>  
            <filter-name>XssEscape</filter-name>  
            <filter-class>cn.pconline.morden.filter.XssFilter</filter-class>  
        </filter>  
        <filter-mapping>  
            <filter-name>XssEscape</filter-name>  
            <url-pattern>/*</url-pattern>  
            <dispatcher>REQUEST</dispatcher>  
        </filter-mapping>

Copy after login

XssFilter The implementation is to implement the servlet's Filter interface

    package cn.pconline.morden.filter;  
      
    import java.io.IOException;  
      
    import javax.servlet.Filter;  
    import javax.servlet.FilterChain;  
    import javax.servlet.FilterConfig;  
    import javax.servlet.ServletException;  
    import javax.servlet.ServletRequest;  
    import javax.servlet.ServletResponse;  
    import javax.servlet.http.HttpServletRequest;  
      
    public class XssFilter implements Filter {  
          
        @Override  
        public void init(FilterConfig filterConfig) throws ServletException {  
        }  
      
        @Override  
        public void doFilter(ServletRequest request, ServletResponse response,  
                FilterChain chain) throws IOException, ServletException {  
            chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request), response);  
        }  
      
        @Override  
        public void destroy() {  
        }  
    }

Copy after login

The key is the implementation of XssHttpServletRequestWrapper, inherit the servlet's HttpServletRequestWrapper, and rewrite the corresponding several methods that may bring xss attacks, such as:

    package cn.pconline.morden.filter;  
      
    import javax.servlet.http.HttpServletRequest;  
    import javax.servlet.http.HttpServletRequestWrapper;  
      
    import org.apache.commons.lang3.StringEscapeUtils;  
      
    public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {  
      
        public XssHttpServletRequestWrapper(HttpServletRequest request) {  
            super(request);  
        }  
      
        @Override  
        public String getHeader(String name) {  
            return StringEscapeUtils.escapeHtml4(super.getHeader(name));  
        }  
      
        @Override  
        public String getQueryString() {  
            return StringEscapeUtils.escapeHtml4(super.getQueryString());  
        }  
      
        @Override  
        public String getParameter(String name) {  
            return StringEscapeUtils.escapeHtml4(super.getParameter(name));  
        }  
      
        @Override  
        public String[] getParameterValues(String name) {  
            String[] values = super.getParameterValues(name);  
            if(values != null) {  
                int length = values.length;  
                String[] escapseValues = new String[length];  
                for(int i = 0; i < length; i++){  
                    escapseValues[i] = StringEscapeUtils.escapeHtml4(values[i]);  
                }  
                return escapseValues;  
            }  
            return super.getParameterValues(name);  
        }  
          
    }

Copy after login

At this point, the input filtering is completed.

When displaying data on the page, simply use fn:escapeXml() to escape the output where XSS vulnerabilities may occur.

Display of complex content, specific issues will be analyzed in detail

In addition, if you do not want to display the filtered content in some cases, you can use the StringEscapeUtils.unescapeHtml4() method to replace StringEscapeUtils.escapeHtml4(). The characters after escaping are restored to their original appearance

The above is the detailed content of Example of xss injection implemented by HttpServletRequestWrapper in Java. For more information, please follow other related articles on the PHP Chinese website!

Statement of this Website

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

How to fix KB5055612 fails to install in Windows 10?

4 weeks ago By DDD

Roblox: Grow A Garden - Complete Mutation Guide

3 weeks ago By DDD

Roblox: Bubble Gum Simulator Infinity - How To Get And Use Royal Keys

3 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Nordhold: Fusion System, Explained

4 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Mandragora: Whispers Of The Witch Tree - How To Unlock The Grappling Hook

3 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Hot Tools

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

God-level code editing software (SublimeText3)

Hot Topics

Java Tutorial

1670

CakePHP Tutorial

1428

Laravel Tutorial

1329

PHP Tutorial

1274

C# Tutorial

1256

Related knowledge

PHP: A Key Language for Web Development Apr 13, 2025 am 12:08 AM

PHP is a scripting language widely used on the server side, especially suitable for web development. 1.PHP can embed HTML, process HTTP requests and responses, and supports a variety of databases. 2.PHP is used to generate dynamic web content, process form data, access databases, etc., with strong community support and open source resources. 3. PHP is an interpreted language, and the execution process includes lexical analysis, grammatical analysis, compilation and execution. 4.PHP can be combined with MySQL for advanced applications such as user registration systems. 5. When debugging PHP, you can use functions such as error_reporting() and var_dump(). 6. Optimize PHP code to use caching mechanisms, optimize database queries and use built-in functions. 7

PHP vs. Python: Understanding the Differences Apr 11, 2025 am 12:15 AM

PHP and Python each have their own advantages, and the choice should be based on project requirements. 1.PHP is suitable for web development, with simple syntax and high execution efficiency. 2. Python is suitable for data science and machine learning, with concise syntax and rich libraries.

Break or return from Java 8 stream forEach? Feb 07, 2025 pm 12:09 PM

Java 8 introduces the Stream API, providing a powerful and expressive way to process data collections. However, a common question when using Stream is: How to break or return from a forEach operation? Traditional loops allow for early interruption or return, but Stream's forEach method does not directly support this method. This article will explain the reasons and explore alternative methods for implementing premature termination in Stream processing systems. Further reading: Java Stream API improvements Understand Stream forEach The forEach method is a terminal operation that performs one operation on each element in the Stream. Its design intention is

PHP vs. Other Languages: A Comparison Apr 13, 2025 am 12:19 AM

PHP is suitable for web development, especially in rapid development and processing dynamic content, but is not good at data science and enterprise-level applications. Compared with Python, PHP has more advantages in web development, but is not as good as Python in the field of data science; compared with Java, PHP performs worse in enterprise-level applications, but is more flexible in web development; compared with JavaScript, PHP is more concise in back-end development, but is not as good as JavaScript in front-end development.

PHP vs. Python: Core Features and Functionality Apr 13, 2025 am 12:16 AM

PHP and Python each have their own advantages and are suitable for different scenarios. 1.PHP is suitable for web development and provides built-in web servers and rich function libraries. 2. Python is suitable for data science and machine learning, with concise syntax and a powerful standard library. When choosing, it should be decided based on project requirements.

PHP's Impact: Web Development and Beyond Apr 18, 2025 am 12:10 AM

PHPhassignificantlyimpactedwebdevelopmentandextendsbeyondit.1)ItpowersmajorplatformslikeWordPressandexcelsindatabaseinteractions.2)PHP'sadaptabilityallowsittoscaleforlargeapplicationsusingframeworkslikeLaravel.3)Beyondweb,PHPisusedincommand-linescrip

PHP: The Foundation of Many Websites Apr 13, 2025 am 12:07 AM

The reasons why PHP is the preferred technology stack for many websites include its ease of use, strong community support, and widespread use. 1) Easy to learn and use, suitable for beginners. 2) Have a huge developer community and rich resources. 3) Widely used in WordPress, Drupal and other platforms. 4) Integrate tightly with web servers to simplify development deployment.

PHP vs. Python: Use Cases and Applications Apr 17, 2025 am 12:23 AM

PHP is suitable for web development and content management systems, and Python is suitable for data science, machine learning and automation scripts. 1.PHP performs well in building fast and scalable websites and applications and is commonly used in CMS such as WordPress. 2. Python has performed outstandingly in the fields of data science and machine learning, with rich libraries such as NumPy and TensorFlow.

See all articles